Common use of Corrective Action Obligations Clause in Contracts

Corrective Action Obligations. The FMCNA Covered Entities agree to the following: A. Conduct Risk Analysis 1. The FMCNA Covered Entities shall conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of the FMCNA Covered Entities’ electronic protected health information (“ePHI”) (“Risk Analysis”). The Risk Analysis shall incorporate the FMCNA Covered Entities’ facilities, whether owned or rented, and evaluate the risks to the ePHI on their electronic equipment, data systems, and applications controlled, administered or owned by the FMCNA Covered Entities, that contain, store, transmit, or receive ePHI. Prior to conducting the Risk Analysis, the FMCNA Covered Entities shall develop a complete inventory of all of their facilities, categories of electronic equipment, data systems, and applications that contain or store ePHI, which will then be incorporated into their Risk Analysis. 2. Within fourteen (14) days of the Effective Date, the FMCNA Covered Entities shall submit to HHS the scope and methodology by which they propose to conduct the Risk Analysis described in paragraph A.1. HHS shall notify the FMCNA Covered Entities whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(1)(ii)(A). 3. The FMCNA Covered Entities shall provide the Risk Analysis, consistent with paragraph V.A.l , to HHS within one hundred eighty (180) days of HHS’ approval of the FMCNA Covered Entities’ methodology described in paragraph V.A.2 for HHS’ review. Within ninety (90) days of its receipt of the FMCNA Covered Entities’ Risk Analysis, HHS will inform FMCNA Contact in writing as to whether HHS approves of the Risk Analysis or, if necessary to ensure compliance with 45 C.F.R. § 164.308(a)(1)(ii)(A), requires revisions to the Risk Analysis. If HHS requires revisions to the Risk Analysis, HHS shall provide FMCNA Contact with a detailed, written explanation of such required revisions and with comments and recommendations in order for the FMCNA Covered Entities to be able to prepare a revised Risk Analysis. Upon receiving notice of required revisions to the Risk Analysis from HHS and a description of any required changes to the Risk Analysis, the FMCNA Covered Entities shall have sixty (60) days in which to revise their Risk Analysis accordingly and submit the revised Risk Analysis to HHS for review and approval. This submission and review process shall continue until HHS approves the Risk Analysis.